I can't read a particular file, even though as far as I can tell I have read rights on it. Here is what "Effective Access" shows:
Here is what Get-Acl is giving me.
PS ...> Get-Acl .\HelloWorld.java | Format-List
Path : Microsoft.PowerShell.Core\FileSystem::I:\...\HelloWorld.java
Owner : ...\Admin
Group : G:S-1-5-21-4281937098-1570975092-1098596674-513
Access : ...\Admin Allow FullControl
Audit :
Sddl : O:S-1-5-21-3073128669-2165567304-4059943147-1001G:S-1-5-21-4281937098-1570975092-1098596674-513D:PAI(A;;FA;;;S-1-5-21-3073128669-2165567304-4059943147-1001)
When I try to open it in Notepad, or even just copy it from command-line, I get an error:
I:\...>copy HelloWorld.java C:\HelloWorld.java
Access is denied.
0 file(s) copied.
I:\...>more HelloWorld.java
Cannot access file I:\...\HelloWorld.java
I'm logged in as Admin, and also the cmd.exe shell is elevated (right clicked and did "Run as administrator").
Note that it wasn't originally SDDL_PROTECTED, but I added that (via Windows GUI) in an attempt to make sure that there wasn't something being inherited that was confusing access. Then I added an ACE to give Admin full control. The drive was formerly a system disk for a Win7 machine, but I'm trying to read it on a Win10 machine.
When the protections are OK, 2 other problems can occur
path too long: some apps don't like it (but you get file not found rather than access denied): workaround: mount a drive in a lower level using subst and access from here
file is open in write mode by another program/service.
file is encrypted using windows built-in encryption. In that case, it works OK on the original computer, but when you mount the disk somewhere else, you get "access denied" even if the permissions are OK
The chances are: it is option 3 since you switched computers.
Related
I am reading and then modifying some data in a file that is located in the Windows program files folder.
Because of this the file does not have write permissions. So I receive an error when trying to write to it.
When manually giving write permissions to the folder containing the file, the script will work.
Is it possible to modify a folders permissions within a Lua script, or write to a file regardless of it's permissions? Or can this only be done manually from the File Explorer?
This is my current section of code that is re-writing the inputFile:
k=0
updatefile = io.open(inputFile,"w")
for k=1,i do
updatefile:write(modfilecontent[k] .. '\n') --This is where I'm blocked by permissions
end
updatefile:close()
Also if there is a solution possible, and I load this script onto another persons computer that does not have admin privileges would the solution still work?
EDIT:
Piglet's solution will work using the os.execute method to change privileges.
As long as the software, that the plug-in is being used in, is ran as admin the first time the permissions will be set. From then on you no longer need to run as admin.
Below is the code that I needed to add to the beginning of the program, minus the brackets of course
os.execute('icacls "C:\\Program Files\\[software name]\\[folder name]" /grant Everyone:(OI)(CI)F /T')
You could use os.execute to run the appropriate Windows command.
See How to grant permission to users for a directory using command line in Windows?
Alternatively use a library that supports stuff like this. Maybe checkout
https://keplerproject.github.io/luafilesystem/manual.html
Also if there is a solution possible, and I load this script onto
another persons computer that does not have admin privileges would the
solution still work?
As that person wouldn't be able to run Lua as administrator that is very unlikely. That would completly defy the purpose of different user levels.
I'm using Windows 7 with a VPN (Cisco AnyConnect) connection to an academic file share server. I copied a PowerPoint file from a local path to the server, and tried to delete the file on the server after no longer needing it.
It now shows up as a 0KB file, and I can no longer perform any actions on it except opening it as read-only. When I do open it as read-only, I receive the prompt "Unknown is working on \server\share_pathtofile. Do you want to open a read-only copy in the meantime?", and the file is empty (no slides, settings, etc). Here 'server_pathtofile' is the entire path of the problem file. I am positive no other user is accessing the file from another machine.
I have tried to overwrite it by Save As, using the same file name. Once I click Save, the save window closes and reopens without performing any action. This happens indefinitely if I continue to click Save. I can save the file with a different name on the server, and delete the file with a different name without issue.
I tried removing problem file using python through the Anaconda Spyder distro i use on my laptop.
import os
path = r"\\server\share"
file = r"\file.pptx"
#file = r"\test2.txt"
f = path + file
os.remove(f)
When i run it for the trouble file, it produces the error:
PermissionError: [WinError 32] The process cannot access the file because it is being used by another process: '\\\\server\share_pathtofile'
I looked into the shutil function, but don't think that'll be any more useful. I suspect the process handle for the PowerPoint file has been corrupted in some way. I thought to try and use Windows to perform the action directly through Powershell:
Remove-Item 'file.pptx'
But received a similar error:
Remove-Item : Cannot remove item \\server\share_pathtofile: The process cannot access the file '\\server\share_pathtofile' because it is being used by another
process.
At line:1 char:12
+ Remove-Item <<<< 'file.pptx'
+ CategoryInfo : WriteError: (\\server...file.pptx:FileInfo) [Remove-Item], IOException
+ FullyQualifiedErrorId : RemoveFileSystemItemIOError,Microsoft.PowerShell.Commands.RemoveItemCommand
UPDATE 1: I tired postanote's suggestion by deleting through cmd.exe
pushd \\server\share
del /f "file.pptx"
The process cannot access the file because it is being used by another process.
I would've thought my inclusion of the powershell attempt to remove the file would've made this approach an obvious dead end. Shoudln't i be trying to find the so-called process that is telling Windows the file is still open?
Also, I was able to reproduce the same issue with a second ppt file and an excel file. They are not 0KB, but upon opening i get the same sort of prompt: "someone else is working on them and you can read-only".
I was making copies of the file within the same folder directory of the file share. My connection to the server got interrupted somehow, as Windows Explorer prompted me saying the connection to server share was able to be found. Upon closing the prompt, Windows Explorer did an unexpected refresh, the mapped drive was fine (i could navigate it without having to remap it), then suddenly I had two more problem files.
It is certainly not having the Windows Explorer preview pane open, i have never used that Explorer feature. Any ideas? We shouldn't let this file win...
PE will only look at process where it was started. Just like Task Manager, and if you are not accessing the file via some process (PowerPoint.exe), or know that in a shared file scenario, no one else has it locked, then you can take action on it.
This is not a PS specific issue (so not really a PS question) or anything related to process explorer and nothing to do with admin right on a server/workstation. If you have read/write/modify/delete permissions on a system / file share, you can act on that file of course.
It's a Windows proper issue. I've seen (and had this happen) this zero length files (depending on how they were created / copied) more than once, and they appear as impossible to delete.
The deal here, often Windows Explorer for such files won't even let you shorten the name via a rename effort. So, name length, odd characters, etc., are often the culprit(s)
So, you need to use cmd.exe and delete the file using the short DOS name. Just do a dir on the location where file is to get the short name and delete it.
dir /X
I'm not much of a Perl developer but I need it to make triggers for perforce.
So this is the background:
I have a windows service that runs as admin that calls the Perl script on windows.
The script needs to create a file on a network storage which is both configured to work with windows and UNIX permissions\security types.
Since the user that is running the script is an admin user all folders and files that it creates under all directories are no inheriting the directories permissions but makes it editable only to root.
What I try to do is create the file and than chmod it to the parent folder's "stat" results.
my ($perms, $uid, $gid) = (stat $ParentDirFullPath)[2, 4, 5];
$perms = sprintf("%04o", $perms & 0777);
chmod($perms, $NewFileFullPath);
The problem is that stat command on windows dosen't get the unix\gid and unix\uid + the chmod command is not really supported.
I looked into the file::stat module to find a way for displaying windows permissions(since they are present there too) to take them and apply them with a command that I didn't test yet that should be probably under the module Win32::FileSecurity.
I didn't find a way to get the permissions from there(I get stat=ARRAY(0x46d0f8)).
Any ideas or suggestions?
TL;DR:("How to?" question) Running Perl script on windows that takes parent folder permissions and applies them on a file that the scripts creates in the network storage that supports both Windows and Unix security/permissions types(the permissions that I want to apply are windows like permissions for groups and users).
Edit:
I tried the next code:
use Win32::FileSecurity qw(Get EnumerateRights);
use Win32;
my $dir1 = "\\\\NetworkStorage\\home\\user1";
my $dir2 = "\\\\NetworkStorage\\home\\user1\\PerlFileSecTest";
my %permissions;
Win32::FileSecurity::Get($dir1, \%permissions);
Win32::FileSecurity::Set($dir2, \%permissions);
And I get the next error:
S-1-5-11-2038111172-1292333386-11111-20315(this is not an original number and it changes this is unix FS user identifier that the AD knows how to parse)
Error handling error: 1332, LookupAccountName.
So it looks like the FileSecurity can't handle that user identifier that is coming from the unix based storage that supports both unixfs and NTFS.
This is strange because when I choose a folder for example and do "right click -> properties -> security tab" I see the numbers and then they are parsed to unixUid\user1 etc...
Any idea how to solve it?
Specifically for my case where the issue was the mixed mode on the network drive I found the next solution to be good enough for me.
I call the "icacls" system command and set permissions manually for the domain users from the folder above.
my $error = system("icacls $CreatedDir /grant domain\\user:(OI)(CI)F /T");
The code above gives full recursive permissions for the user to the folder that was created by the service with the admin user(which caused the folder to be locked only for the rood or admin user in our configuration).
Note that the command above doesn't override existing permissions but it was good enough for me.
So eventually I end up with a folder and files that are accessible to the user that called the specific service which runs with admin user.
Can any user access the %APPDATA% folder? Or can only administrators read & access that directory? Also, do the permissions to access this directory differ over different Windows platforms from 2k to Windows 7?
You can see the permissions on %APPDATA% by using the icacls tool at the command prompt. Here's what it looks like on my machine:
C:\Users\davidp>icacls %APPDATA%
C:\Users\davidp\AppData\Roaming NT AUTHORITY\SYSTEM:(I)(OI)(CI)(F)
BUILTIN\Administrators:(I)(OI)(CI)(F)
MACHINE09\davidp:(I)(OI)(CI)(F)
Successfully processed 1 files; Failed processing 0 files
What this means is that only I, administrators, and the system itself can see the folder. If you run this on a folder where other users can see it, you'll see something like this:
C:\Users\davidp>icacls c:\
c:\ BUILTIN\Administrators:(F)
BUILTIN\Administrators:(OI)(CI)(IO)(F)
NT AUTHORITY\SYSTEM:(F)
NT AUTHORITY\SYSTEM:(OI)(CI)(IO)(F)
BUILTIN\Users:(OI)(CI)(RX)
NT AUTHORITY\Authenticated Users:(OI)(CI)(IO)(M)
NT AUTHORITY\Authenticated Users:(AD)
Mandatory Label\High Mandatory Level:(OI)(NP)(IO)(NW)
Successfully processed 1 files; Failed processing 0 files
You can see that the BUILTIN\Users group can see the c:\ folder (as you would expect).
EDIT
I'm not sure how far back the %APPDATA% variable itself goes back in Windows history. I recommend checking directly. On older systems the cacls command was the predecessor to icacls. Regardless, in Windows NT-based OSes there has always been a profile area visible only to the user and administrators.
%AppData% is a user-specific path. Yes, any user can access %appdata%, but it will go to a different directory for each user. Only an administrator can read the appdata of another user.
Do the effort of actually going to %appdata% on your machine, and looking at the path it gets converted into. Do you see what I mean?
I want to delete my git repository (.git folder) created by git on my windows 7 box. It says access denied to .git/refs/header folder.
I open a console with Administrator role, issue command "takeown /F heads /A /R", it still says "ERROR: Access is denied.", neither can i do via GUI security dialog.
Any suggestion?
Regards,
Green
An access denied error may mean the file is in use by another process and, for a GIT repository, that seems more likely than a file permissions issue.
(I'm assuming GIT is like SVN where every file in the repository is created by your own account with standard permissions. If that's not the case then I may be wrong.)
As a first step, run Process Explorer as Administrator and push Ctrl-F to open a window where you can type the filename and see which processes (if any) have that file open.
When I say "run as Administrator":
I don't just mean when logged in as Administrator. Windows 7's UAC means Administrator accounts don't run things with full admin access by default. Right-click procmon.exe and choose the "Run as Administrator" option.
I assume you're already familiar with this from running the command prompt as admin. If you just changed to an admin account, but didn't use "Run as Administrator" on the command prompt, then that could be why the takeown command failed. The command prompt should say "Administrator:" in its window title if it is properly elevated, unless UAC is off entirely.
If one or more processes are listed, confirm the full file path in the list (in case some other file on disk has a similar name).
Close any processes which have the file open. Try to close them normally if you can. As a last resort you can end-task them. If it's a process running as another user/account, it might be a service which you can stop.
(Ensure View->Show Processes for All Users is ticked, then find the process in question via the PID column. If you think it's a service, hover the mouse over it and a tooltip will appear telling you the name(s) of any services it is running.)
If you cannot find any process accessing the file, or closing them all still results in an access denied error, and you are definitely trying the deletion from an elevated command prompt, then you might want to try telling Windows to delete the file the next time it is rebooted. You can use the SysInternals MoveFile tool for that.